SlideShare une entreprise Scribd logo

Ibm עמרי וייסמן

L
lihig
1  sur  19
Télécharger pour lire hors ligne
Dec 14, 2010 Static and Dynamic Technologies for Securing Web Applications Omri Weisman Manager, Static Analysis Group IBM Rational Software, Israel weisman@il.ibm.com
IBM  IL
Web Applications are the greatest risk to organizations  Web application vulnerabilities represented the largest category in vulnerability disclosures  In 2009, 49% of all vulnerabilities were Web application vulnerabilities  SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report 3
What is the Root Cause? 1. Developers not trained in security  Most computer science curricula have no security courses  Focus is on developing features  Security vulnerability = BUG 2. Under investment from security teams  Lack of tools, policies, process,  Lack of resources 3. Growth in complex, mission critical online applications  Online banking, commerce, Web 2.0, etc Result: Application security incidents are on the rise
Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Most Issues are found by security auditors prior to going live.
Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Desired Profile
IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management SECURITY REQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION AppScan Enterprise AppScan onDemand AppScan Reporting Console Security AppScan Source Requirements AppScan AppScan AppScan AppScan Definition Build Tester Standard Standard Security Security / compliance Security & Outsourced testing requirements Automate Security Build security / Compliance testing incorporated Compliance for security audits & defined before testing into the into testing & Testing, oversight, production site design & testing in the IDE Build Process remediation control, policy, monitoring implementation workflows audits Application Security Best Practices – Secure Engineering Framework 7
Black White Box Box “Hacker in a box” “Automated code review” Requires running site Requires source-code/bytecode Crawl, Test, Validate Source-to-Sink Analysis AppScan AppScan Standard Ed. Source Ed.
White-Box: Source-to-Sink Analysis Many injection problems: Sources: •SQL Injection •Path Traversal •XSS •Code Execution •Log Forging •… Sanitizers: Undecidable problem Sinks:
Black-Box vs. White-Box – Paradigm Cleverly “guesses” behaviors that may demonstrate vulnerabilities Black Box Examines infinite number of behaviors White in a finite approach (approximation) Box
Black-Box vs. White-Box - Perspective - Works as an attacker - HTTP awareness only Black - Works on “the big picture” Box - Resembles code auditing - Inspects the small details SQL Injection Found White - Hard to “connect the dots” Box
Black-Box vs. White-Box – Prerequisite - Any deployed application - Mainly used during testing stage Black Box - Application code White - Mainly used in development stage Box
Black-Box vs. White-Box – Compatibility - Oblivious to languages, platforms - Different communication protocols require attention Black Box - Different languages require support - Some frameworks too White Box - Oblivious to communication protocols
Black-Box vs. White-Box – Scope Exercises the entire system - Servers (Application, HTTP, DB, etc.) - External interfaces Black Box - Network, firewalls Identifies issues regardless of configuration White Box
Black-Box vs. White-Box – Time/Accuracy Tradeoffs - Crawling takes time - Testing mutations takes Black (infinite) time Box - Refined model consumes space - And time… White - Analyzing only “important” code Box - Approximating the rest >> Summary
Black-Box vs. White-Box – Accuracy Challenges Challenge: - Cover all attack vectors Black Box Challenge: - Eliminate non-exploitable issues White Box
OR Black ? White Box Box
Security Testing Technologies... Combination Drives Greater Solution Accuracy Static Analysis (Whitebox ) Automated Code Review Total Potential Security Issues Static Best Dynamic Dynamic Analysis (Blackbox) Analysis Coverage Analysis Hacker in a box 18
Smarter security for a smarter planet

Recommandé

Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp0224 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02Smals
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 

Recommandé

Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp0224 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02Smals
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++Dan-Claudiu Dragoș
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Toolsn|u - The Open Security Community
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOpsPawel Krawczyk
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
Isaac newton lina
Isaac newton linaIsaac newton lina
Isaac newton linalinacordovan
 
Isaac newton lina
Isaac newton linaIsaac newton lina
Isaac newton linalinacordovan
 
Omri
OmriOmri
Omrilihig
 

Contenu connexe

Tendances

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 

Tendances (19)

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solution
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
 

En vedette

Omri
OmriOmri
Omrilihig
 
LE TIEN TOAN_QUAN LI NGAN QUY.pdf
LE TIEN TOAN_QUAN LI NGAN QUY.pdfLE TIEN TOAN_QUAN LI NGAN QUY.pdf
LE TIEN TOAN_QUAN LI NGAN QUY.pdfthanhechip99
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמןlihig
 
עלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלותעלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלותlihig
 
וובסנס ליאור ארבל
וובסנס ליאור ארבלוובסנס ליאור ארבל
וובסנס ליאור ארבלlihig
 
סייבר ארק מירי
סייבר ארק מיריסייבר ארק מירי
סייבר ארק מיריlihig
 
TRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdf
TRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdfTRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdf
TRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdfthanhechip99
 
גיא אילון Websense
גיא אילון Websenseגיא אילון Websense
גיא אילון Websenselihig
 
The mc mullens (slide show version nov 2010)
The mc mullens (slide show version nov 2010)The mc mullens (slide show version nov 2010)
The mc mullens (slide show version nov 2010)Dave McMullen
 
עלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלותעלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלותlihig
 
(Hstp) cam nang trien khai shortcourse
(Hstp) cam nang trien khai shortcourse(Hstp) cam nang trien khai shortcourse
(Hstp) cam nang trien khai shortcoursethanhechip99
 

En vedette (17)

Isaac newton lina
Isaac newton linaIsaac newton lina
Isaac newton lina
 
Isaac newton lina
Isaac newton linaIsaac newton lina
Isaac newton lina
 
Omri
OmriOmri
Omri
 
LE TIEN TOAN_QUAN LI NGAN QUY.pdf
LE TIEN TOAN_QUAN LI NGAN QUY.pdfLE TIEN TOAN_QUAN LI NGAN QUY.pdf
LE TIEN TOAN_QUAN LI NGAN QUY.pdf
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמן
 
Units 5 & 6
Units 5 & 6Units 5 & 6
Units 5 & 6
 
עלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלותעלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלות
 
וובסנס ליאור ארבל
וובסנס ליאור ארבלוובסנס ליאור ארבל
וובסנס ליאור ארבל
 
Analisi swot
Analisi swotAnalisi swot
Analisi swot
 
Units 5 & 6
Units 5 & 6Units 5 & 6
Units 5 & 6
 
סייבר ארק מירי
סייבר ארק מיריסייבר ארק מירי
סייבר ארק מירי
 
TRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdf
TRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdfTRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdf
TRAN VAN BO_NGHIEN CUU XAY DUNG CHL.pdf
 
גיא אילון Websense
גיא אילון Websenseגיא אילון Websense
גיא אילון Websense
 
The mc mullens (slide show version nov 2010)
The mc mullens (slide show version nov 2010)The mc mullens (slide show version nov 2010)
The mc mullens (slide show version nov 2010)
 
עלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלותעלון זכויות הסעות לאנשים עם מוגבלות
עלון זכויות הסעות לאנשים עם מוגבלות
 
Teks ucapan
Teks ucapanTeks ucapan
Teks ucapan
 
(Hstp) cam nang trien khai shortcourse
(Hstp) cam nang trien khai shortcourse(Hstp) cam nang trien khai shortcourse
(Hstp) cam nang trien khai shortcourse
 

Similaire à Ibm עמרי וייסמן

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integrationIrene Michlin
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Secview
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Application security vision - John b
Application security vision - John bApplication security vision - John b
Application security vision - John bRoopa Nadkarni
 
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!Caleb Jenkins
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
Rational App Scan&Policy Tester
Rational App Scan&Policy TesterRational App Scan&Policy Tester
Rational App Scan&Policy TesterKristina O'Regan
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...Priyanka Aash
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 

Similaire à Ibm עמרי וייסמן (20)

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Application security vision - John b
Application security vision - John bApplication security vision - John b
Application security vision - John b
 
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!10 Reasons Your Software Sucks 2014 - Tax Day Edition!
10 Reasons Your Software Sucks 2014 - Tax Day Edition!
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
Rational App Scan&Policy Tester
Rational App Scan&Policy TesterRational App Scan&Policy Tester
Rational App Scan&Policy Tester
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
iViZ Profile
iViZ ProfileiViZ Profile
iViZ Profile
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 

Ibm עמרי וייסמן

  • 1. Dec 14, 2010 Static and Dynamic Technologies for Securing Web Applications Omri Weisman Manager, Static Analysis Group IBM Rational Software, Israel weisman@il.ibm.com
  • 3. Web Applications are the greatest risk to organizations  Web application vulnerabilities represented the largest category in vulnerability disclosures  In 2009, 49% of all vulnerabilities were Web application vulnerabilities  SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report 3
  • 4. What is the Root Cause? 1. Developers not trained in security  Most computer science curricula have no security courses  Focus is on developing features  Security vulnerability = BUG 2. Under investment from security teams  Lack of tools, policies, process,  Lack of resources 3. Growth in complex, mission critical online applications  Online banking, commerce, Web 2.0, etc Result: Application security incidents are on the rise
  • 5. Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Most Issues are found by security auditors prior to going live.
  • 6. Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Desired Profile
  • 7. IBM Rational AppScan Suite – Comprehensive Application Vulnerability Management SECURITY REQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION AppScan Enterprise AppScan onDemand AppScan Reporting Console Security AppScan Source Requirements AppScan AppScan AppScan AppScan Definition Build Tester Standard Standard Security Security / compliance Security & Outsourced testing requirements Automate Security Build security / Compliance testing incorporated Compliance for security audits & defined before testing into the into testing & Testing, oversight, production site design & testing in the IDE Build Process remediation control, policy, monitoring implementation workflows audits Application Security Best Practices – Secure Engineering Framework 7
  • 8. Black White Box Box “Hacker in a box” “Automated code review” Requires running site Requires source-code/bytecode Crawl, Test, Validate Source-to-Sink Analysis AppScan AppScan Standard Ed. Source Ed.
  • 9. White-Box: Source-to-Sink Analysis Many injection problems: Sources: •SQL Injection •Path Traversal •XSS •Code Execution •Log Forging •… Sanitizers: Undecidable problem Sinks:
  • 10. Black-Box vs. White-Box – Paradigm Cleverly “guesses” behaviors that may demonstrate vulnerabilities Black Box Examines infinite number of behaviors White in a finite approach (approximation) Box
  • 11. Black-Box vs. White-Box - Perspective - Works as an attacker - HTTP awareness only Black - Works on “the big picture” Box - Resembles code auditing - Inspects the small details SQL Injection Found White - Hard to “connect the dots” Box
  • 12. Black-Box vs. White-Box – Prerequisite - Any deployed application - Mainly used during testing stage Black Box - Application code White - Mainly used in development stage Box
  • 13. Black-Box vs. White-Box – Compatibility - Oblivious to languages, platforms - Different communication protocols require attention Black Box - Different languages require support - Some frameworks too White Box - Oblivious to communication protocols
  • 14. Black-Box vs. White-Box – Scope Exercises the entire system - Servers (Application, HTTP, DB, etc.) - External interfaces Black Box - Network, firewalls Identifies issues regardless of configuration White Box
  • 15. Black-Box vs. White-Box – Time/Accuracy Tradeoffs - Crawling takes time - Testing mutations takes Black (infinite) time Box - Refined model consumes space - And time… White - Analyzing only “important” code Box - Approximating the rest >> Summary
  • 16. Black-Box vs. White-Box – Accuracy Challenges Challenge: - Cover all attack vectors Black Box Challenge: - Eliminate non-exploitable issues White Box
  • 17. OR Black ? White Box Box
  • 18. Security Testing Technologies... Combination Drives Greater Solution Accuracy Static Analysis (Whitebox ) Automated Code Review Total Potential Security Issues Static Best Dynamic Dynamic Analysis (Blackbox) Analysis Coverage Analysis Hacker in a box 18
  • 19. Smarter security for a smarter planet